Page 2
Preface This document is a translation of the original document. All rights to this documentation are reserved by Pilz GmbH & Co. KG. Copies may be made for internal purposes. Suggestions and comments for improving this documentation will be gratefully received.
Connection..........................Network interfaces ........................Configuration ......................... User interface ........................... Establish connection to SecurityBridge ..................Managing users ........................8.3.1 Permissions ..........................8.3.2 User groups ..........................8.3.3 Create user ..........................8.3.4 Manage user via RADIUS server....................Operating Manual PCOM sec br2 1004534-EN-04...
Page 4
Release of remote access with a key switch ................12.3 PSS 4000 with an external control and OPC server..............Technical details ........................Network data .......................... Security-relevant log messages ................... Order reference ........................16.1 Product ............................. 16.2 Accessories ..........................Operating Manual PCOM sec br2 1004534-EN-04...
Introduction Introduction Validity of documentation This documentation is valid for the product PCOM sec br2. It is valid until new documenta- tion is published. This operating manual explains the function and operation, describes the installation and provides guidelines on how to connect the product.
The request for the source code must be received 3 years at the latest after the receipt of the relevant GPL or LPGL. Irrespective of this period we will send you a complete, ma- chine-readable copy of the source code as long as Pilz offers spares or technical support for this device.
The SecurityBridge PCOM sec br2 may only be connected to a head module from the PSS 4000 system or to a base unit of the configurable system PNOZmulti (please refer to the document "PNOZmulti System Expansion"...
Damage can be attributed to not having followed the guidelines in the manual, Operating personnel are not suitably qualified, Any type of modification has been made (e.g. exchanging components on the PCB boards, soldering work etc.). Operating Manual PCOM sec br2 1004534-EN-04...
SecurityBridge Fig.: DefenseInDepth The product PCOM sec br2 secures the devices in the protected network from network- based attacks and/or unauthorised access via the network. The product is the last layer in the Defense in depth concept. To efficiently implement the concept, the measures de-...
Protect the computer from unauthorised use by assigning passwords, and taking further measures, if required. We also recommend that the logged in user does not have administrator rights. Operating Manual PCOM sec br2 | 10 1004534-EN-04...
The computers used to monitor the system must be secured to the general best practice rules for security. As soon as possible, install firmware updates that Pilz provides for the device. Make sure you regularly check the event log of the product for security-relevant entries. A...
Make sure that the SecurityBridge is safely decommissioned before disposing of the device (see chapter Take SecurityBridge safely out of operation [ 41]). Where possible, perform these steps also when servicing and sending the device to Pilz. Operating Manual PCOM sec br2 | 12 1004534-EN-04...
Overview Overview Unit features Application of the product PCOM sec br2: SecurityBridge for safe authentication and communication with a PSS 4000 or a PNOZmulti system. The product has the following features: Configurable via a web-based user interface VPN server to build a VPN tunnel for safe transfer of data...
I0: Input O0: Output 24 V (A1), 0 V (A2) Module Supply USB interface for USB memory to save and restore the configuration LEDs PWR, DIAG, Bypass, User, Setup, I0, O0 Firmware XXXX Operating Manual PCOM sec br2 | 14 1004534-EN-04...
VPN tunnel. In normal circumstances, the VPN client is within the company net- work. Configuration changes to a project can only be performed by users who have a relevant permission. Operating Manual PCOM sec br2 | 15 1004534-EN-04...
PCs (configuration PC). This enables tap-proof, manip- ulation-proof data transfer between the client PC and SecurityBridge. Only the VPN client from Pilz is supported. Up to 5 client connections can exist simultaneously. A VPN tunnel can only be built by authenticated, authorised users.
Setup mode is signalled via the digital output. If there is a 1-signal at the output, then setup mode is activated. If there is a 0-signal at the output, then setup mode is not ac- tivated. Operating Manual PCOM sec br2 | 17 1004534-EN-04...
CAUTION! When using the USB backup, make sure that the SecurityBridge and USB memory are protected against unauthorised access (by placing the Secur- ityBridge in a locked control cabinet, for example). Operating Manual PCOM sec br2 | 18 1004534-EN-04...
Damage due to electrostatic discharge! Electrostatic discharge can damage components. Ensure against discharge before touching the product, e.g. by touching an earthed, conductive sur- face or by wearing an earthed armband. Dimensions 94 (3.70") (1.77") Operating Manual PCOM sec br2 | 19 1004534-EN-04...
– Polarity protection – No voltage stabilisation Connection Supply to the module X4 Supply to the SC outputs X3 + 24 V DC Input X3 24 V DC Output X4 24 V DC Operating Manual PCOM sec br2 | 20 1004534-EN-04...
– When Autonegotiation is used, Autonegotiation must also be activated at the remote station. With deactivated autonegotiation: – Communication speed: 10 Mbits/s or 100 Mbits/s – Duplex: Half duplex or full duplex Operating Manual PCOM sec br2 | 21 1004534-EN-04...
1. Establish Ethernet connection a Connect the configuration PC directly to the Ethernet interface X1 of the Security- Bridge PCOM sec br2. Alternatively you can use a switch to which only the config- uration PC and the SecurityBridge are connected.
Page 23
9]). 6. Change network settings To access the SecurityBridge PCOM sec br2 from the company network, change the network settings of the SecurityBridge. The settings are adapted in the Web interface under System → Settings → Network (see also Online Help).
AccessGroup-1 User is allowed to access the Generic Device be- longing to one of these three groups if he is assigned AccessGroup-2 to a user group with the same permission. AccessGroup-3 Operating Manual PCOM sec br2 | 24 1004534-EN-04...
A secure Server Shared Secret must be entered to configure the RADIUS server. The same Server Shared Secret must be configured on the RADIUS server. Use a separate Server Shared Secret for each SecurityBridge that is configured via the RADIUS server. Operating Manual PCOM sec br2 | 25 1004534-EN-04...
Page 26
Vendor type (1 Byte) 0 = Group name contained in the transmit- ted data 1 = Permissions contained in the transmit- ted data as comma-separated values Vendor length (1 Byte) 2 + data length Operating Manual PCOM sec br2 | 26 1004534-EN-04...
If you set unknown IP addresses or port numbers, multiple devices from an unprotected network will be able to access the PSS 4000 device in the protected network. Create precisely one rule for one connection, which has been configured for a PSS 4000 device. Operating Manual PCOM sec br2 | 27 1004534-EN-04...
The SecurityBridge uses X.509 certificates to secure communication between the VPN cli- ent and the SecurityBridge, plus the user interface. By default the system uses a self signed CA certificate to sign the server certificate. The certificates are automatically generated by the SecurityBridge. Operating Manual PCOM sec br2 | 28 1004534-EN-04...
Page 29
The Select Certificate Store window is opened. 5. Select Trusted Root Certification Authorities and click OK… 6. Click Next. 7. Click Complete. A safety warning may appear. Confirm that you wish to install the certi- ficate. Operating Manual PCOM sec br2 | 29 1004534-EN-04...
Page 30
CA certificate for the server certificate. The VPN client cannot download the correct CA certificate until the appropriate CA certificate has been up- loaded. Possible formats: Effects: When a CA certificate is uploaded, any existing private key will be deleted. Operating Manual PCOM sec br2 | 30 1004534-EN-04...
SecurityBridge is restarted. If the active configuration is to be saved on the SecurityBridge and is to be available again on restart, it must be applied as the start configuration. Operating Manual PCOM sec br2 | 31 1004534-EN-04...
A message is generated when the check sum is changed in the connected device. The overall check sum for the project is used for PNOZmulti devices. The check sum for the FS project is used for PSS 4000 devices. Operating Manual PCOM sec br2 | 32 1004534-EN-04...
To create a connection to SecurityBridge for the first time, a new client connection has to be created. Proceed as follows: 1. Start the VPN client by clicking All programs > Pilz > SecurityBridge VPN Client. 2. Double-click on the symbol of the VPN client in the task bar to open the VPN client.
During authentication, the user name is always searched first in the local user management on the SecurityBridge's user interface. If the user name cannot be found in the internal user management and a RADIUS server is configured, a request is sent to the RADIUS server. Operating Manual PCOM sec br2 | 34 1004534-EN-04...
Page 35
RADIUS server Found? configured? Check Setup mode User permitted? Successful? Check passwords Successful? Check user group Assigned? Call up group permissions Authentication Authentication successful failed Fig.: Authentication via the internal user management Operating Manual PCOM sec br2 | 35 1004534-EN-04...
Page 36
RADIUS server Request to the secondary RADIUS Response? server Response? User permitted? Check group or permissions from the response Value OK? Authentication Authentication failed successful Fig.: Authentication via the RADIUS server Operating Manual PCOM sec br2 | 36 1004534-EN-04...
The firmware can only be updated by users with Administration permission. The update packet is digitally signed to prevent manipulation. An update packet can be downloaded to the device from the download area on the Pilz website (file extension .fw) or via the software tool PASupdate. PASupdate will let you know when a new update is available.
Bypass mode is activated User You can configure the function and colour of the user LED. Colour State Meaning - - - No function configured Green or red Function depends on the configuration Operating Manual PCOM sec br2 | 38 1004534-EN-04...
Incorrect configuration of the IP address All the data must be deleted, when the SecurityBridge is to be decommissioned for ex- ample (see operating instructions, Section Take SecurityBridge safely out of operation [ 41]). Operating Manual PCOM sec br2 | 39 1004534-EN-04...
If the system detects an internal error, it will switch to error mode. Settings for how the system should behave in error mode can be made on the user inter- face: Availability All data is forwarded Security No more data is forwarded Operating Manual PCOM sec br2 | 40 1004534-EN-04...
If you used an USB memory, remove the USB memory from the SecurityBridge and format it on the configuration PC. Do not carry out a quick formatting. Alternatively, you can use a program to safely delete data or destroy the memory mechanically. Operating Manual PCOM sec br2 | 41 1004534-EN-04...
The fieldbus module is in the protected network. SecurityBridge Fieldbus module Base unit + input/output module Protected network PNOZmulti Configurator Control system protected connection unprotected connection Operating Manual PCOM sec br2 | 42 1004534-EN-04...
SecurityBridge [ 22]. The release of the connection is made by a "1" signal at the input I0. If there is o release, all the connection attempts via the VPN client are prevented. Operating Manual PCOM sec br2 | 43 1004534-EN-04...
Access to the system in the protected network [ PSS 4000 SecurityBridge PSS 4000 Control system VPN tunnel PAS4000 OPC Server protected connection unprotected connection Fig.: Application example PSS 4000 with external control Operating Manual PCOM sec br2 | 44 1004534-EN-04...
60068-2-30, EN 60068-2-78 Ambient temperature In accordance with the standard EN 60068-2-14 Temperature range 0 - 60 °C Storage temperature In accordance with the standard EN 60068-2-1/-2 Temperature range -25 - 70 °C Operating Manual PCOM sec br2 | 45 1004534-EN-04...
Page 46
0,25 - 2,5 mm², 24 - 12 AWG 2 core with the same cross section, flexible without crimp connectors or with TWIN crimp connectors 0,2 - 1,5 mm², 24 - 16 AWG Operating Manual PCOM sec br2 | 46 1004534-EN-04...
Page 47
Spring-loaded terminals: Terminal points per connec- tion Stripping length with spring-loaded terminals 9 mm Dimensions Height 96 mm Width 45 mm Depth 111,5 mm Where standards are undated, the 2017-06 latest editions shall apply. Operating Manual PCOM sec br2 | 47 1004534-EN-04...
The IP address {{ip}} is locked because too many login attempts have failed. 1108 Access to web service denied for IP address {{ip}}. 1109 User "{{username}}", IP address {{ip}}: The IP address is blocked. Too many attempts to change the password. Operating Manual PCOM sec br2 | 49 1004534-EN-04...
Module for secure authentication and communication with 311 502 PNOZmulti 2 and PSS 4000 16.2 Accessories Connection terminals Product type Features Order no. Set4 Spring Terminals 1 set of spring-loaded terminals 751016 Set4 Screw Terminals 1 set of screw terminals 750016 Operating Manual PCOM sec br2 | 50 1004534-EN-04...
Page 51
We are represented internationally. Please refer to our homepage www.pilz.com for further details or contact our headquarters. Headquarters: Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: info@pilz.com, Internet: www.pilz.com...